Moving beyond an "allow or deny" choice could reduce friction between agency security pros and their end users.
When it comes to information security, agency defense systems typically default to a binary choice between one of two categories: allow or deny. Any event with a hint of exfiltration, even if it is just an employee accessing a file to do their job, can result in automatic denial. This rigidity can cause the user to seek workarounds that can create even more risk, while requiring IT and security managers to spend time chasing down security alerts. This can result in friction and frustration between security professionals and end users.
Better data protection and productivity requires more subtle and targeted security measures. Instead of “all or nothing” approaches that lock everyone out at the hint of perceived impropriety, agencies should consider implementing security procedures that provide better visibility and context into how and why users interact with data. They can then set up policies that can be automatically enforced only when necessary, allowing everyone to focus on doing their jobs. This results in a more secure enterprise with less friction slowing it down, the proverbial win/win.
This human-centric approach to security can be achieved through passively monitoring the behavior patterns of users throughout the organization and fingerprinting them. Through a process known as risk adaptive protection, agencies can gain a better understanding of how, when, and why people use and access information.
Human beings are creatures of habit, and risk adaptive protection places each user’s actions into a larger context based on their established patterns of behavior. It starts with a baseline “normal” understanding of user patterns and proceeds to compare future actions to that baseline. Any deviations could trigger automatic security responses (anything from closer monitoring, to a warning, to denial of privileges or other measures) depending on the policies and protocols set forth by agency administrators.
In this process, every user is assigned a “risk score”—a numerical value indicating their potential risk factor. Risk scores are determined by the users’ access to data and can fluctuate over time based on a number of factors, including changing roles and responsibilities and behavior patterns. Unlike the majority of today’s binary security systems, the risk adaptive system can automatically adjust to account for these changes.
These scores do not necessarily indicate a security threat; rather, they are meant to indicate people with high access to sensitive data. For instance, an agency CIO could have a high-risk score and not be a threat. Alternatively, a person with a low-risk score could see their score raised if they display unusual patterns of behavior or if their job changes into one that requires access to proprietary information. Questionable activities can be met with targeted blocking of individual access rights or closer monitoring of the user in question.
For example, a user may typically log into the system every morning to access the same type of files—a normal pattern of behavior. But what if that user suddenly starts to attempt to access the network in the middle of the night, or begins attempting to upload sensitive information to an unauthorized Google Drive account while not physically at their desk or connected via VPN? That is indicative of anomalous and potentially suspicious behavior and could indicate that an individual’s credentials have been compromised. The system could automatically target and block that individual user without impacting the rest of the organization. At a minimum, we would expect an automated alert allowing security personnel to rapidly apply additional inspection.
Less Friction, Fewer Frustrations, Better Security
Understanding that this is a real problem, not a false alarm, the administrator can take action to mitigate the risk as it occurs. Security protocols and responses can be adapted based on how agency personnel interact with data and acceptable risk levels.
Importantly, all of this can be done at the individual level. The daily routine of the organization as a whole remains unaffected, and security is improved—no binary choice necessary. We moved away from black and white television in the '60s, shouldn’t we move away from black and white security in this decade?
Eric Trexler is vice president of Global Governments and Critical Infrastructure at Forcepoint.
NEXT STORY Using the MGT Act to Fuel IT Modernization